PlayReady Client Initialization

PlayReady Client Initialization is the process of updating the PlayReady runtime on the client, allowing licenses to be bound to the client.

It may be called different names on different clients:

  • CDM init, for Client Decryption Module initialization
  • PlayReady Individualization
  • PlayReady Activation
  • PlayReady Local Provisioning
  • PlayReady Remote Provisioning

PlayReady Client Initialization must be performed on every PlayReady client before most DRM-related operations will be allowed.

What PlayReady Client Initialization does

A PlayReady Client Initialization operation provides to a device all or part of the following PlayReady Client Initialization data, depending on what was already present:

  • A functional PlayReady client stack.
  • A unit-level PlayReady Final Product Client Certificate, unique per unit.

This unit-level PlayReady Client Certificate, also known as device certificate, or leaf certificate, is the certificate chain to which the PlayReady licenses will be bound, when generated by a PlayReady license server.

This certificate contains information on the manufacturer, the device model, and the unit itself, such as:

  • Manufacturer name
  • Model name
  • Security Level
  • Version
  • Supported features
  • Unit Client ID

Although this unit-level PlayReady Client Certificate includes a Client ID, this value should not be used by app developers to uniquely identify a unit. App developers should use platform IDs (for example, the Windows 10 device identifier, or the processor's ID) linked to a PlayReady license request to uniquely identify PlayReady units.

When PlayReady Client Initialization is performed

This initialization may be performed at the factory before the device is distributed to end users, performed over the Internet the first time a device is booted, or performed the first time an application is run.

Another initialization may also be performed again at regular intervals (like every month) or at particular events (like every time the device gets a major OS update), or very frequently (like every time the device boots). An application should not make any assumptions regarding how often a device is re-initialized (or re-individualized / re-activated / re-provisioned).

Windows 10/11 devices and Xbox

Windows 10/11 and Xbox One / One S / One X / Series S / Series X use PlayReady Remote Provisioning, per application.

This means the device will, at some point, contact a Microsoft server (xxx.microsoft.com) to retrieve the PlayReady Client Initialization data over the Internet, typically the first time an application requiring DRM is run. This provisioning is done separately for each application. For web apps running in Microsoft Edge, provisioning is done separately for each web domain (more details in Edge Privacy Whitepaper).

In addition, as stated above, re-provisioning may occur at any time: every month on some devices, at every reboot on others, or less frequently on others. An application should not make any assumptions regarding how often a device is re-provisioned, and it should not use the PlayReady Client Initialization data (including the PlayReady Client Certificate or the Client ID) to uniquely identify a unit.